Tags: bug-hunting 


We can exploit two things: First is that it's possible to test only the 11 first letters to not be uppercase letters, second is that the good hash is at same place on stack and that it's possible to not end the input hash with a \x00. So take the seed, compute 100 followings hash, send the 11 first letters of them or aaaaaaaaaaa if there is an uppercase letter, and do not end the string with a newline or a \x00. Flag follow. (See payload.py and session).

Original writeup (https://github.com/Beers4Flags/writeups/tree/master/2018/Timisoara/Pwn/Pwnescu).